The Juniper EX switch must be configured to uniquely identify all network-connected endpoint devices before establishing any connection.
An XCCDF Rule
Description
<VulnDiscussion>Controlling LAN access via 802.1x authentication can assist in preventing a malicious user from connecting an unauthorized PC to an access interface to inject or receive data from the network without detection. 802.1x includes Static MAC Bypass and MAC RADIUS for those devices that do not offer a supplicant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253949r843880_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
Configure 802.1 x authentication on all host-facing access interfaces. To authenticate those devices that do not support an 802.1x supplicant, Static MAC Bypass or MAC RADIUS must be configured.
Configure RADIUS if available:
set access radius-server <RADIUS IPv4 or IPv6 address> secret "<PSK>"
set access profile dot1x_radius radius authentication-server <RADIUS IPv4 or IPv6 address>
-or-